Help

10.8 Active Directory - AD groups disappearing

ClassicII
Contributor III

Posted on ‎12-02-2013 08:03 AM

Hey Guys,

We are experiencing a problem in 10.8 where a users AD groups disappear. You can run an id on the user at the terminal and it will not pull the proper groups. But then some times they will then come back? We notice this most with users on VPN. We have multiple DC's and I was thinking of pointing the mac to just one to see if that makes a difference. The only way to get the the groups back on vpn is to flush the directory cache. dscacheutil -flushcache. I can reproduce this sometimes by kicking on the screen saver which is an "Authentication Event" once past the screen saver the groups are gone. I can not reproduce this 100% of the time though.

Has any one else see this ?

0 Kudos
1 REPLY 1

lisacherie
Contributor II

Posted on ‎12-03-2013 10:43 AM

When the clients are in this state are you able to browse AD using dscl?

eg.

dscl 
cd /Active Directory/<your domain>
ls

If you get an error here you can try the command below, then attempt browsing AD again via dscl, before verifying group memberships with the id command.

sudo killall opendirectoryd

This appears to be caused by the presence of custom edu.mit.Kerberos files.

0 Kudos